Lun based hard zoning in fibre channel switches

ABSTRACT

A method and system for implementing LUN based hard zoning in a fibre channel network is provided. A LUN field in a Fibre Channel SCSI command frame is compared with a list of LUNS that are allowed for a particular frame source; and the frame is forwarded if the LUN is allowed for the frame source. The comparison is performed by a port receiving the frame by using an address look up table (“ALUT”). Hard zoning is based on various frame fields and/or ALUT control codes. Also provided is a method for processing a reply to a SCSI REPORT LUN command from an initiator. The method includes, intercepting a reply to a REPORT LUN command; editing the reply to remove unauthorized LUNs; and sending the edited reply to the initiator.

CROSS REFERENCE TO RELATED APPLICATIONS:

This application claims priority under 35 U.S.C. § 119(e) (1) to thefollowing provisional patent applications:

Filed on Sep. 19, 2003, Ser. No. 60/503,812, entitled “Method and Systemfor Fibre Channel Switches”;

Filed on Jan. 21, 2004, Ser. No. 60/537,933 entitled “Method And SystemFor Routing And Filtering Network Data Packets In Fibre ChannelSystems”;

Filed on Jul. 21, 2003, Ser. No. 60/488,757, entitled “Method and Systemfor Selecting Virtual Lanes in Fibre Channel Switches”;

Filed on Dec. 29, 2003, Ser. No. 60/532,965, entitled “ProgrammablePseudo Virtual Lanes for Fibre Channel Systems”;

Filed on Sep. 19, 2003, Ser. No. 60/504,038, entitled “Method and Systemfor Reducing Latency and Congestion in Fibre Channel Switches;

Filed on Aug. 14, 2003, Ser. No. 60/495,212, entitled “Method and Systemfor Detecting Congestion and Over Subscription in a Fibre channelNetwork”

Filed on Aug. 14, 2003, Ser. No. 60/495,165, entitled “LUN Based HardZoning in Fibre Channel Switches”;

Filed on Sep. 19, 2003, Ser. No. 60/503,809, entitled “Multi Speed CutThrough Operation in Fibre Channel Switches”

Filed on Sep. 23, 2003, Ser. No. 60/505,381, entitled “Method and Systemfor Improving bandwidth and reducing Idles in Fibre Channel Switches”;

Filed on Sep. 23, 2003, Ser. No. 60/505,195, entitled “Method and Systemfor Keeping a Fibre Channel Arbitrated Loop Open During Frame Gaps”;

Filed on Mar. 30, 2004, Ser. No. 60/557,613, entitled “Method and Systemfor Congestion Control based on Optimum Bandwidth Allocation in a FibreChannel Switch”;

Filed on Sep. 23, 2003, Ser. No. 60/505,075, entitled “Method and Systemfor Programmable Data Dependent Network Routing”;

Filed on Sep. 19, 2003, Ser. No. 60/504,950, entitled “Method and Systemfor Power Control of Fibre Channel Switches”;

Filed on Dec. 29, 2003, Ser. No. 60/532,967, entitled “Method and Systemfor Buffer to Buffer Credit recovery in Fibre Channel Systems UsingVirtual and/or Pseudo Virtual Lane”

Filed on Dec. 29, 2003, Ser. No. 60/532,966, entitled “Method And SystemFor Using Extended Fabric Features With Fibre Channel Switch Elements”

Filed on Mar. 4, 2004, Ser. No. 60/550,250,

entitled “Method And System for Programmable Data Dependent NetworkRouting”

Filed on May 7, 2004, Ser. No. 60/569,436, entitled “Method And SystemFor Congestion Control In A Fibre Channel Switch”

Filed on May 18, 2004, Ser. No. 60/572,197, entitled “Method and Systemfor Configuring Fibre Channel Ports” and

Filed on Dec. 29, 2003, Ser. No. 60/532,963 entitled “Method and Systemfor Managing Traffic in Fibre Channel Switches”.

The disclosure of the foregoing applications is incorporated herein byreference in their entirety.

BACKGROUND

2. Field of the Invention

The present invention relates to fibre channel systems, and moreparticularly to LUN based hard zoning in fibre channel switches.

2. Background of the Invention

Fibre channel is a set of American National Standard Institute (ANSI)standards, which provide a serial transmission protocol for storage andnetwork protocols such as HIPPI, SCSI, IP, ATM and others. Fibre channelprovides an input/output interface to meet the requirements of bothchannel and network users.

Fibre channel supports three different topologies: point-to-point,arbitrated loop and fibre channel fabric. The point-to-point topologyattaches two devices directly. The arbitrated loop topology attachesdevices in a loop. The fibre channel fabric topology attaches hostsystems directly to a fabric, which are then connected to multipledevices. The fibre channel fabric topology allows several media types tobe interconnected.

Fibre channel is a closed system that relies on multiple ports toexchange information on attributes and characteristics to determine ifthe ports can operate together. If the ports can work together, theydefine the criteria under which they communicate.

In fibre channel, a path is established between two nodes where thepath's primary task is to transport data from one point to another athigh speed with low latency, performing only simple error detection inhardware.

Fibre channel fabric devices include a node port or “N_Port” thatmanages fabric connections. The N_port establishes a connection to afabric element (e.g., a switch) having a fabric port or F_port. Fabricelements include the intelligence to handle routing, error detection,recovery, and similar management functions.

A fibre channel switch is a multi-port device where each port manages asimple point-to-point connection between itself and its attached system.Each port can be attached to a server, peripheral, I/O subsystem,bridge, hub, router, or even another switch. A switch receives messagesfrom one port and automatically routes it to another port. Multiplecalls or data transfers happen concurrently through the multi-port fibrechannel switch.

Fibre channel switches use memory buffers to hold frames received andsent across a network. Associated with these buffers are credits, whichare the number of frames that a buffer can hold per fabric port.

Fibre Channel allows the use of Small Computer System Interface (“SCSI”)protocol in storage area networks. SCSI storage devices are sub-dividedinto multiple Logical Unit Numbers (LUNs).

In Fibre Channel Fabrics, zoning is used to control access of devicesattached to the Fabric to other devices. Hard Zoning is zoning that isenforced on individual frames sent from one end-user device to anotherend-user device by preventing delivery of frames across zone boundaries.

Conventional techniques and standards do not allow secure LUN basedzoning for fibre channel switches. Hence, this can result in inadvertentor malicious access by a device (s) that are not supposed to use aparticular LUN.

Therefore, what is required is a process and system that can enforcesecure; LUN based hard zoning for fibre channel switches.

SUMMARY OF THE PRESENT INVENTION

In one aspect of the present invention, a method for implementing LUNbased hard zoning in a fibre channel network is provided. The methodincludes, comparing a LUN field in a Fibre Channel SCSI command framewith a list of LUNS that are allowed for a particular frame source; andforwarding the frame if the LUN is allowed for the frame source. Thecomparison is performed by a port receiving the frame by using anaddress look up table (“ALUT”).

In yet another aspect of the present invention, a method for processinga reply to a SCSI REPORT LUN command from an initiator is provided. Themethod includes, intercepting a reply to a REPORT LUN command; editingthe reply to remove unauthorized LUNs; and sending the edited reply tothe initiator. An alias cache is set up to identify a reply to a SCSIREPORT LUN command and route the reply to a processor if a target forthe REPORT LUN command is using LUN zoning.

In yet another aspect of the present invention, a Fibre Channel switchelement for implementing LUN based hard zoning is provided. The switchelement includes, means for comparing a LUN field in a Fibre ChannelSCSI command frame with a list of LUNS that are allowed for a particularframe source; and means for forwarding the frame if the LUN is allowedfor the frame source. A port receiving the frame by using an ALUTperforms the comparison.

This brief summary has been provided so that the nature of the inventionmay be understood quickly. A more complete understanding of theinvention can be obtained by reference to the following detaileddescription of the preferred embodiments thereof concerning the attacheddrawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing features and other features of the present invention willnow be described with reference to the drawings of a preferredembodiment. In the drawings, the same components have the same referencenumerals. The illustrated embodiment is intended to illustrate, but notto limit the invention. The drawings include the following Figures:

FIG. 1A shows an example of a Fibre Channel network system;

FIG. 1B shows an example of a Fibre Channel switch element, according toone aspect of the present invention;

FIG. 1C shows a block diagram of a 20-channel switch chassis, accordingto one aspect of the present invention;

FIG. 1D shows a block diagram of a Fibre Channel switch element withsixteen GL_Ports and four 10G ports, according to one aspect of thepresent invention;

FIGS. 2A-2B (jointly referred to as FIG. 2) show another block diagramof a Fibre Channel switch element with sixteen GL_Ports and four 10Gports, according to one aspect of the present invention;

FIGS. 3A/3B (jointly referred to as FIG. 3) show a block diagram of aGL_Port, according to one aspect of the present invention;

FIGS. 4A/4B (jointly referred to as FIG. 3) show a block diagram ofXG_Port (10G) port, according to one aspect of the present invention;

FIGS. 5A-5B (collectively referred to herein as FIG. 5), show a systemaccording to one aspect of the present invention for LUN based hardzoning;

FIG. 6 shows a flow diagram for modifying SCSI LUN reports, according toone aspect of the present invention; and

FIG. 7A-7B (collectively referred to as FIG. 7) show a flow diagram forLUN based hard zoning frame processing, according to one aspect of thepresent invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Definitions:

The following definitions are provided as they are typically (but notexclusively) used in the fibre channel environment, implementing thevarious adaptive aspects of the present invention.

“E-Port”: A fabric expansion port that attaches to another Interconnectport to create an Inter-Switch Link.

“F_Port”: A port to which non-loop N_Ports are attached to a fabric anddoes not include FL_ports.

“Fibre channel ANSI Standard”: The standard (incorporated herein byreference in its entirety) describes the physical interface,transmission and signaling protocol of a high performance serial linkfor support of other high level protocols associated with IPI, SCSI, IP,ATM and others.

“FC-1”: Fibre channel transmission protocol, which includes serialencoding, decoding and error control.

“FC-2”: Fibre channel signaling protocol that includes frame structureand byte sequences.

“FC-3”: Defines a set of fibre channel services that are common acrossplural ports of a node.

“FC-4”: Provides mapping between lower levels of fibre channel, IPI andSCSI command sets, HIPPI data framing, IP and other upper levelprotocols.

“Fabric”: The structure or organization of a group of switches, targetand host devices (NL_Port, N_ports etc.).

“Fabric Topology”: This is a topology where a device is directlyattached to a fibre channel fabric that uses destination identifiersembedded in frame headers to route frames through a fibre channel fabricto a desired destination.

“FC-FS”: Fibre channel standard (incorporated herein by reference in itsentirety) for framing and signaling, which includes frame structure,basic link maintenance and login, and sequence and exchange operation,incorporated herein by reference in its entirety.

“FC-FCP-2”: Fibre Channel protocol for mapping SCSI to Fibre Channel.

“FCP_CMND”: Fibre Channel frame defined in FC-FCP-2 standard thatcarries SCSI commands.

“FCP_DATA”: Fibre Channel frame defined in FC-FCP-2 standard(incorporated herein by reference in its entirety) that carries SCSIdata.

“FL_Port”: A L_Port that is able to perform the function of a F_Port,attached via a link to one or more NL_Ports in an Arbitrated Looptopology,

“Inter-Switch Link”: A Link directly connecting the E_port of one switchto the E_port of another switch.

“Port”: A general reference to N. Sub.—Port or F. Sub.—Port.

“L_Port”: A port that contains Arbitrated Loop functions associated withthe Arbitrated Loop topology.

“LUN”: Logical Unit Number that identifies a sub-unit within a SCSIdevice (per the SAM-2 standard, incorporated herein by reference in itsentirety).

“N-Port”: A direct fabric attached port.

“NL_Port”: A L_Port that can perform the function of a N_Port.

“R_CTL” An 8 bit Fibre Channel frame header field that identifies thetype of frame (per the FC-FS standard).

“SAM-2”—The standard for SCSI Architecture Model 2, incorporated hereinby reference in its entirety.

“SCSI”: Small Computer Systems Interface.

“S_ID”: Fibre Channel frame header field containing the source address(per the FC-FS standard).

“SCSI initiator”: A SCSI device that initiates a SCSI input/output(“I/O”) operation.

“SPC-2”: Standard for SCSI Primary Commands incorporated herein byreference in its entirety.

“SCSI target”: A SCSI device that responds to I/O operations from a SCSIinitiator and typically is a storage device.

“Switch”: A fabric element conforming to the Fibre Channel Switchstandards.

In one aspect of the present invention, hard zoning is extended to SCSILUNs so that a SCSI initiator can access some LUNs associated with aparticular Fibre Channel port, but is denied access to others. A methodis also provided for fibre channel switch to intercept and edit “SCSIREPORT LUNS” command so that SCSI initiators do not try to access LUNsthat they are not allowed to use, hence, avoiding extra error reporting.

In another aspect of the present invention, by implementing LUN basedhard zoning on a Fibre Channel switch allows secure access to individualLUNs on SCSI devices by preventing inadvertent or malicious access bydevices that are not supposed to use a particular LUN.

Fibre Channel System:

To facilitate an understanding of the preferred embodiment, the generalarchitecture and operation of a fibre channel system will be described.The specific architecture and operation of the preferred embodiment willthen be described with reference to the general architecture of thefibre channel system.

FIG. 1A is a block diagram of a fibre channel system 100 implementingthe methods and systems in accordance with the adaptive aspects of thepresent invention. System 100 includes plural devices that areinterconnected. Each device includes one or more ports, classified asnode ports (N_Ports), fabric ports (F_Ports), and expansion ports(E_Ports). Node ports may be located in a node device, e.g. server 103,disk array 105 and storage device 104. Fabric ports are located infabric devices such as switch 101 and 102. Arbitrated loop 106 may beoperationally coupled to switch 101 using arbitrated loop ports(FL_Ports).

The devices of FIG. 1A are operationally coupled via “links” or “paths”.A path may be established between two N_ports, e.g. between server 103and storage 104. A packet-switched path may be established usingmultiple links, e.g. an N-Port in server 103 may establish a path withdisk array 105 through switch 102.

FABRIC SWITCH ELEMENT

FIG. 1B is a block diagram of a 20-port ASIC fabric element according toone aspect of the present invention. FIG. 1B provides the generalarchitecture of a 20-channel switch chassis using the 20-port fabricelement. Fabric element includes ASIC 20 with non-blocking fibre channelclass 2 (connectionless, acknowledged) and class 3 (connectionless,unacknowledged) service between any ports. It is noteworthy that ASIC 20may also be designed for class 1 (connection-oriented) service, withinthe scope and operation of the present invention as described, herein.

The fabric element of the present invention is presently implemented asa single CMOS ASIC, and for this reason the term “fabric element” andASIC are used interchangeably to refer to the preferred embodiments inthis specification. Although FIG. 1B shows 20 ports, the presentinvention is not limited to any particular number of ports.

ASIC 20 has 20 ports numbered in FIG. 1B as GL0 through GL19. Theseports are generic to common Fibre Channel port types, for example,F_Port, FL_Port and E-Port. In other words, depending upon what it isattached to, each GL port can function as any type of port. Also, the GLport may function as a special port useful in fabric element linking, asdescribed below.

For illustration purposes only, all GL ports are drawn on the same sideof ASIC 20 in FIG. 1B. However, the ports may be located on both sidesof ASIC 20 as shown in other figures. This does not imply any differencein port or ASIC design. Actual physical layout of the ports will dependon the physical layout of the ASIC.

Each port GL0-GL19 has transmit and receive connections to switchcrossbar 50. One connection is through receive buffer 52, whichfunctions to receive and temporarily hold a frame during a routingoperation. The other connection is through a transmit buffer 54.

Switch crossbar 50 includes a number of switch crossbars for handlingspecific types of data and data flow control information. Forillustration purposes only, switch crossbar 50 is shown as a singlecrossbar. Switch crossbar 50 is a connectionless crossbar (packetswitch) of known conventional design, sized to connect 21×21 paths. Thisis to accommodate 20 GL ports plus a port for connection to a fabriccontroller, which may be external to ASIC 20.

In the preferred embodiments of switch chassis described herein, thefabric controller is a firmware-programmed microprocessor, also referredto as the input/out processor (“IOP”). IOP 66 is shown in FIG. 1C as apart of a switch chassis utilizing one or more of ASIC 20. As seen inFIG. 1B, bi-directional connection to IOP 66 is routed through port 67,which connects internally to a control bus 60. Transmit buffer 56,receive buffer 58, control register 62 and Status register 64 connect tobus 60. Transmit buffer 56 and receive buffer 58 connect the internalconnectionless switch crossbar 50 to IOP 66 so that it can source orsink frames.

Control register 62 receives and holds control information from IOP 66,so that IOP 66 can change characteristics or operating configuration ofASIC 20 by placing certain control words in register 62. IOP 66 can readstatus of ASIC 20 by monitoring various codes that are placed in statusregister 64 by monitoring circuits (not shown).

FIG. 1C shows a 20-channel switch chassis S2 using ASIC 20 and IOP 66.S2 will also include other elements, for example, a power supply (notshown). The 20 GL ports correspond to channel C0-C19. Each GL port has aserial/deserializer (SERDES) designated as S0-S19. Ideally, the SERDESfunctions are implemented on ASIC 20 for efficiency, but mayalternatively be external to each GL port.

Each GL port has an optical-electric converter, designated as OE0-OE19connected with its SERDES through serial lines, for providing fibreoptic input/output connections, as is well known in the high performanceswitch design. The converters connect to switch channels C0-C19. It isnoteworthy that the ports can connect through copper paths or othermeans instead of optical-electric converters.

FIG. 1D shows a block diagram of ASIC 20 with sixteen GL ports and four10 G (Gigabyte) port control modules designated as XG0-XG3 for four 10Gports designated as XGP0-XGP3. ASIC 20 include a control port 62A thatis coupled to IOP 66 through a PCI connection 66A.

FIG. 1E-1/1E-2 (jointly referred to as FIG. 1E) show yet another blockdiagram of ASIC 20 with sixteen GL and four XG port control modules.Each GL port control module has a Receive port (RPORT) 69 with a receivebuffer (RBUF) 69A and a transmit port 70 with a transmit buffer (TBUF)70A, as described below in detail. GL and XG port control modules arecoupled to physical media devices (“PMD”) 76 and 75 respectively.

Control port module 62A includes control buffers 62B and 62D fortransmit and receive sides, respectively. Module 62A also includes a PCIinterface module 62C that allows interface with IOP 66 via a PCI bus66A.

XG_Port (for example 74B) includes RPORT 72 with RBUF 71 similar toRPORT 69 and RBUF 69A and a TBUF and TPORT similar to TBUF 70A and TPORT70. Protocol module 73 interfaces with SERDES to handle protocol basedfunctionality.

GL Port:

FIGS. 3A-3B (referred to as FIG. 3) show a detailed block diagram of aGL port as used in ASIC 20. GL port 300 is shown in three segments,namely, receive segment (RPORT) 310, transmit segment (TPORT) 312 andcommon segment 311.

Receive Segment of GL Port:

Frames enter through link 301 and SERDES 302 converts data into 10-bitparallel data to fibre channel characters, which are then sent toreceive pipe (“Rpipe” may also be referred to as “Rpipe1” or “Rpipe2”)303A via a de-multiplexer (DEMUX) 303. Rpipe 303A includes, paritymodule 305 and decoder 304. Decoder 304 decodes 10B data to 8B andparity module 305 adds a parity bit. Rpipe 303A also performs variousFibre Channel standard functions such as detecting a start of frame(SOF), end-of frame (EOF), Idles, R_RDYs (fibre channel standardprimitive) and the like, which are not described since they are standardfunctions.

Rpipe 303A connects to smoothing FIFO (SMF) module 306 that performssmoothing functions to accommodate clock frequency variations betweenremote transmitting and local receiving devices.

Frames received by RPORT 310 are stored in receive buffer (RBUF) 69A,(except for certain Fibre Channel Arbitrated Loop (AL) frames). Path 309shows the frame entry path, and all frames entering path 309 are writtento RBUF 69A as opposed to the AL path 308.

Cyclic redundancy code (CRC) module 313 further processes frames thatenter GL port 300 by checking CRC and processing errors according toFC_PH rules. The frames are subsequently passed to RBUF 69A where theyare steered to an appropriate output link. RBUF 69A is a link receivebuffer and can hold multiple frames.

Reading from and writing to RBUF 69A are controlled by RBUF read controllogic (“RRD”) 319 and RBUF write control logic (“RWT”) 307,respectively. RWT 307 specifies which empty RBUF 69A slot will bewritten into when a frame arrives through the data link via multiplexer(“Mux”) 313B, CRC generate module 313A and EF (external proprietaryformat) module 314. EF module 314 encodes proprietary (i.e.non-standard) format frames to standard Fibre Channel 8B codes. Mux 313Breceives input from Rx Spoof module 314A, which encodes frames to aproprietary format (if enabled). RWT 307 controls RBUF 69A writeaddresses and provide the slot number to tag writer (“TWT”) 317.

RRD 319 processes frame transfer requests from RBUF 69A. Frames may beread out in any order and multiple destinations may get copies of theframes.

Steering state machine (SSM) 316 receives frames and determines thedestination for forwarding the frame. SSM 316 produces a destinationmask, where there is one bit for each destination. Any bit set to acertain value, for example, 1, specifies a legal destination, and therecan be multiple bits set, if there are multiple destinations for thesame frame (multicast or broadcast).

SSM 316 makes this determination using information from alias cache 315,steering registers 316A, control register 326 values and frame contents.IOP 66 writes all tables so that correct exit path is selected for theintended destination port addresses.

The destination mask from SSM 316 is sent to TWT 317 and a RBUF tagregister (RTAG) 318. TWT 317 writes tags to all destinations specifiedin the destination mask from SSM 316. Each tag identifies itscorresponding frame by containing an RBUF 69A slot number where theframe resides, and an indication that the tag is valid.

Each slot in RBUF 69A has an associated set of tags, which are used tocontrol the availability of the slot. The primary tags are a copy of thedestination mask generated by SSM 316. As each destination receives acopy of the frame, the destination mask in RTAG 318 is cleared. When allthe mask bits are cleared, it indicates that all destinations havereceived a copy of the frame and that the corresponding frame slot inRBUF 69A is empty and available for a new frame.

RTAG 318 also has frame content information that is passed to arequesting destination to pre-condition the destination for the frametransfer. These tags are transferred to the destination via a readmultiplexer (RMUX) (not shown).

Transmit Segment of GL Port:

Transmit segment (“TPORT”) 312 performs various transmit functions.Transmit tag register (TTAG) 330 provides a list of all frames that areto be transmitted. Tag Writer 317 or common segment 311 write TTAG 330information. The frames are provided to arbitration module (“transmitarbiter” (“TARB”)) 331, which is then free to choose which source toprocess and which frame from that source to be processed next.

TTAG 330 includes a collection of buffers (for example, buffers based ona first-in first out (“FIFO”) scheme) for each frame source. TTAG 330writes a tag for a source and TARB 331 then reads the tag. For any givensource, there are as many entries in TTAG 330 as there are credits inRBUF 69A.

TARB 331 is activated anytime there are one or more valid frame tags inTTAG 330. TARB 331 preconditions its controls for a frame and then waitsfor the frame to be written into TBUF 70A. After the transfer iscomplete, TARB 331 may request another frame from the same source orchoose to service another source.

TBUF 70A is the path to the link transmitter. Typically, frames don'tland in TBUF 70A in their entirety. Mostly, frames simply pass throughTBUF 70A to reach output pins, if there is a clear path.

Switch Mux 332 is also provided to receive output from crossbar 50.Switch Mux 332 receives input from plural RBUFs (shown as RBUF 00 toRBUF 19), and input from CPORT 62A shown as CBUF 1 frame/status. TARE331 determines the frame source that is selected and the selected sourceprovides the appropriate slot number. The output from Switch Mux 332 issent to ALUT 323 for S_ID spoofing and the result is fed into TBUF Tags333.

TMUX (“TxMUX”) 339 chooses which data path to connect to thetransmitter. The sources are: primitive sequences specified by IOP 66via control registers 326 (shown as primitive 339A), and signals asspecified by Transmit state machine (“TSM”) 346, frames following theloop path, or steered frames exiting the fabric via TBUF 70A.

TSM 346 chooses the data to be sent to the link transmitter, andenforces all fibre Channel rules for transmission. TSM 346 receivesrequests to transmit from loop state machine 320, TBUF 70A (shown asTARB request 346A) and from various other IOP 66 functions via controlregisters 326 (shown as IBUF Request 345A). TSM 346 also handles allcredit management functions, so that Fibre Channel connectionless framesare transmitted only when there is link credit to do so.

Loop state machine (“LPSM”) 320 controls transmit and receive functionswhen GL_Port is in a loop mode. LPSM 320 operates to support loopfunctions as specified by FC-AL-2.

IOP buffer (“IBUF”) 345 provides IOP 66 the means for transmittingframes for special purposes.

Frame multiplexer (“Frame Mux” or “Mux”) 336 chooses the frame source,while logic (TX spoof 334) converts D_ID and S_ID from public to privateaddresses. Frame Mux 336 receives input from Tx Spoof module 334, TBUFtags 333, and Mux 335 to select a frame source for transmission.

EF (external proprietary format) module 338 encodes proprietary (i.e.non-standard) format frames to standard Fibre Channel 8B codes and CRCmodule 337 generates CRC data for the outgoing frames.

Modules 340-343 put a selected transmission source into proper formatfor transmission on an output link 344. Parity 340 checks for parityerrors, when frames are encoded from 8B to 10B by encoder 341, markingframes “invalid”, according to Fibre Channel rules, if there was aparity error. Phase FIFO 342A receives frames from encode module 341 andthe frame is selected by Mux 342 and passed to SERDES 343. SERDES 343converts parallel transmission data to serial before passing the data tothe link media. SERDES 343 may be internal or external to ASIC 20.

Common Segment of GL Port:

As discussed above, ASIC 20 include common segment 311 comprising ofvarious modules. LPSM 320 has been described above and controls thegeneral behavior of TPORT 312 and RPORT 310.

A loop look up table (“LLUT”) 322 and an address look up table system(“ALUT”) 323 is used for private loop proxy addressing and hard zoningmanaged by firmware.

Common segment 311 also includes control register 326 that controls bitsassociated with a GL_Port, status register 324 that contains status bitsthat can be used to trigger interrupts, and interrupt mask register 325that contains masks to determine the status bits that will generate aninterrupt to IOP 66. Common segment 311 also includes AL control andstatus register 328 and statistics register 327 that provide accountinginformation for FC management information base (“MIB”).

Output from status register 324 may be used to generate a Fp Peekfunction. This allows a status register 324 bit to be viewed and sent tothe CPORT.

Output from control register 326, statistics register 327 and register328 (as well as 328A for an X_Port, shown in FIG. 4) is sent to Mux 329that generates an output signal (FP Port Reg Out).

Output from Interrupt register 325 and status register 324 is sent tologic 335 to generate a port interrupt signal (FP Port Interrupt).

BIST module 321 is used for conducting embedded memory testing.

XG Port

FIGS. 4A-4B (referred to as FIG. 4) show a block diagram of a 10G FibreChannel port control module (XG FPORT) 400 used in ASIC 20. Variouscomponents of XG FPORT 400 are similar to GL port control module 300that are described above. For example, RPORT 310 and 310A, Common Port311 and 311A, and TPORT 312 and 312A have common modules as shown inFIGS. 3 and 4 with similar functionality.

RPORT 310A can receive frames from links (or lanes) 301A-301D andtransmit frames to lanes 344A-344D. Each link has a SERDES (302A-302D),a de-skew module, a decode module (303B-303E) and parity module(304A-304D). Each lane also has a smoothing FIFO (SMF) module 305A-305Dthat performs smoothing functions to accommodate clock frequencyvariations. Parity errors are checked by module 403, while CRC errorsare checked by module 404.

RPORT 310A uses a virtual lane (“VL”) cache 402 that stores pluralvector values that are used for virtual lane assignment. In one aspectof the present invention, VL Cache 402 may have 32 entries and twovectors per entry. IOP 66 is able to read or write VL cache 402 entriesduring frame traffic. State machine 401 controls credit that isreceived. On the transmit side, credit state machine 347 controls frametransmission based on credit availability. State machine 347 interfaceswith credit counters 328A.

Also on the transmit side, modules 340-343 are used for each lane344A-344D, i.e., each lane can have its own module 340-343. Paritymodule 340 checks for parity errors and encode module 341 encodes 8-bitdata to 10 bit data. Mux 342B sends the 10-bit data to a smoothing(“TxSMF”) module 342 that handles clock variation on the transmit side.SERDES 343 then sends the data out to the link.

LUN BASED HARD ZONING:

In one aspect of the present invention, filtering FCP_CMND messagesenforces LUN based hard zoning. A Fibre Channel switch port checks theLUN field in the payload of a FCP_CMND Fibre Channel frame against alist of LUNs that are allowed for a particular source of the frame. Thishard zoning is enforced on a frame-by-frame basis. The switch portattached to the destination of the frame performs the check. FCP_CMNDframes are forwarded to the attached port only if the LUN in the frameis an allowed LUN for that source port. Hence, unauthorized SCSIinitiator ports are unable to perform any SCSI based operations with thezoned target port because the FCP_CMND messages are filtered.

Fiber Channel header fields identify FCP_CMND frames as follows:

“Type”—SCSI frames have the “Type” field equal to 8 per the FC_FSstandard.

“R_CTL”: The upper 4 bits of this field are 0 (Device Data frame) andthe lower 4 bits are 6 (which indicates that it is an “UnsolicitedCommand”, per the FC-FS and FC-FCP-2 standard.

FIGS. 5A-5B (collectively referred to herein as FIG. 5) show system 323according to one aspect of the present invention for LUN based hardzoning.

Each time an FC_CMND frame arrives from a switch port, the S_ID 501 iscompared to ALUT 323A entries (502) by compare module 500. The compareprocess may be performed using associative memory hardware (not shown),or by any other lookup method, for example, hashing.

ALUT 323A and LUN bit table 508 values are used to check FCP_CMNDframes. To illustrate the adaptive aspects of the present invention, thefollowing fields are used to enforce LUN based hard zoning:

ALUT 323A Fields:

The following fields may be used for LUN zoning, according to one aspectof the present invention:

Domain: This is an 8-bit field that is compared with bits 16-23 of theS_ID 501, if enabled.

Area: This is an 8-bit field that is compared to the bits 8-15 of theframe S_ID 501, if enabled.

Port: This is an 8-bit field that is compared to bits 0-7 of the frameS_ID 501, if enabled.

A compare mask (a 2 bit field) controls how compare module 500 performsthe comparison. The following bit values determine what values of S_ID501 are compared with ALUT 323A entries.

0—ALUT entry is not valid, hence, not compared

1—Compare Domain, Area, and port entries with frame S_ID, Domain, Areaand Port fields

2—Compare Domain and Area entries with frame S_ID Domain and Area fields

3—Compare only Domain entry with frame S_ID Domain field

A Control Code 506 defines how LUN table address field 507 isinterpreted. Control Code 506 may be a 2-bit field, defined as follows:

0—If compare matches, use LUN address field as control code, based onthe following:

LUN address field=000, discard frame

LUN address field=001, do not check LUN (frame passes)

2—If compare matches, then LUN table address field is used to addressthe LUN bit map table (508).

LUN table address 507 is used to address a LUN table 508 entry, whichcontains a bit map that indicates which LUNs are acceptable. LUN table508 is populated by LUN bit values from a frame and ALUT 323A, shown as520 and 519, respectively in FIG. 5B. Each entry in LUN table 508 is abit map where each bit corresponds to a particular LUN number. The totalnumber of LUNs that are supported depends on the size of the bit map.

The size of the LUN bit map table 508 may be 128 bits, so bits 16-22 ofthe 1^(st) payload word is used as bits 0-6 of the LUN. With a 128-bittable, the maximum number of LUNs that can be zoned is 128.

If LUN bit map 508 is implemented as 32 bit words, then the address ofthe word is derived from bits 5-6 of the LUN field as the lower 2 bitsof the address, and the LUN table address 507 from the matching ALUT323A entry is derived as bits 2-n of the LUN bit map word address. Bits0-4 of the LUN field (shown as 511, FIG. 5B) select one of the 32 bitsin the word to check for a valid LUN (using Multiplexer (“Mux”) 510).

In one aspect, a part of the 64 bit LUN field in the FCP_CMND frame maybe limited to the first level LUN, which is located within bits 16-31 ofthe 1^(st) word of the FCP_CMND frame payload (per standard SAM-2). If128 bits are used for LUN table 508 entries, then LUN values between 0to 127 can be checked.

As shown in FIG. 5B, LUN table value 509 and LUN bit 0:4 are sent togate 512 via Mux 510. Gate 512 receives the first bit of control code506 and the output from Mux 510. The output of gate 512 is sent to gate513 that receive two other inputs, a value based on if the control code06 is equal to 0 and LUN table address 509 is equal to 1, and a value toshowing if the R_CTL field is not equal to 1. Output 516 from gate 513is sent to gate 514 that generates a valid frame 517 based on ALUT hitsignal 503, signal 503A and output 516.

Gate 515 receives an input via gate 516A (that receives 503 and 504),Gate 515 also receives an input when the control code 50 is equal to 0and LUN table address 509 is equal to 0. Based on the two inputs, gate515 generates a “toss frame” signal 518.

It is noteworthy that the present invention is not limited to anyparticular logic layout, other logic combination may be used toimplement the adaptive aspects of the present invention.

The following is the outcome of S_ID 501 comparison to ALUT 323A entries502;

If no ALUT 323A entries match an FCP_CMND frame, the frame is rejectedbased on signal 518.

If multiple ALUT 323A entries match (504), the frame is rejected basedon signal 518.

If there is an ALUT 323A match (503), and Control Code 506 is 0, and LUNtable address field 507 is 0, then the frame is rejected (or tossed)based on signal 518 .

If there is an ALUT 323A match (503), and Control Code 506 is 0, and theLUN table address field 507 is 1, then the frame is valid for all LUNsand is transmitted (shown as signal 517).

If there is an ALUT 323A match (503), and Control Code is 2, then LUNtable address field 507 Is used to address the LUN bit map. The LUN fromthe FCP_CMND payload word 0, bits 16-31 (number of bits used depends onsize of bit map) is used to index bit map table 508.

If the bit is set, the frame is valid. If the bit is not set, the frameis rejected. If the frame is not an FCP_CMND and does not contain a LUNfield then only the ALUT 323A match and Control Code 506 value equal to2 is required for valid frame transmission.

If a frame is rejected, it could either be discarded or sent to IOP 66.A policy control code (described below) may be used to decide thedisposition of frames rejected by LUN hard zoning. The switch inquestion may want to bring frames that fail LUN hard zoning to IOP 66 sothat the switch can send an FCP_RESP with a “SCSI CHECK CONDITION” backto the initiator.

If a frame is valid, it is transmitted to the attached port. Since LUN 0is valid for all SCSI devices, the bit for LUN 0 is most likely set forall LUN bit maps. This allows the “SCSI INQUIRY” command to beprocessed.

FIGS. 7A-7B (collectively referred to as FIG. 7) show a flow diagram forLUN based hard zoning frame processing. The process starts in step S700when a frame is ready to be transmitted from a port. In step S701, theprocess compares a frame's S_ID 501 with ALUT 323A entries. This isperformed by compare module 500.

In step S702, the process determines if the S_ID domain value matcheswith the ALUT domain values. If the values do not match, then in stepS708, the process determines if all ALUT 323A entries have beencompared. If all ALUT 323A entries have not been compared the, processmoves to step S709 and then back to S702.

If all ALUT entries have been compared in step S708, then in step S711,the process determines if there are any ALUT 323A matches. If there areno matches, then in step S710, the process rejects the frame.

If there is a match in step S711, then the process determines in stepS712 if there are multiple matches. If there are multiple matches, thenthe frame is rejected in step S710. If there are no multiple matches,then in step S713, the LUN is validated, as described below (FIG. 7B).

In step S703, the process determines if the Area field comparison isenabled. If the Area field is not enabled, the process moves to stepS704. If enabled, then in step S707, the process determines if ALUT 323Aentry matches the frame area field. If there is a match, the processmoves to step S704. If there is no match, then the process moves to stepS708.

In step S704, the process determines if Port field comparison isenabled. If the port field comparison is enabled, then the port field ofthe frame is compared to the ALUT 323A port field in step S706. If thefields do not match, the process moves to step S708. If the frame andALUT 323A port fields match, then the process moves to step S705, wherean ALUT match is confirmed and the process moves to step S708.

In step S714, the process determines if the frames R_CTL field value isequal to that of the FCP-CMD (for example 06), then in step S715,control code 506 and LUN address 507 is obtained from the matching ALUT323A entry. If the R_CTL field of the frame is not equal to the FCP_CMNDvalue, then in step S722, the process accepts the frame fortransmission.

In step S716, the process determines if the control code 506 value iszero. If the control code 506 is zero, then in step S716A, the processdetermines if LUN address 507 is zero. If it is zero, then the frame istossed in step S723.

If the LUN address 507 is 1 (i.e. not 0), as determined in step S721,then the frame is accepted in step S722.

If the LUN address 507 is not equal to 1, then the frame is rejected instep S720,

In step S717, the process determines if the control code 506 is 2. If itis, then in step S718, the LUN address from ALUT 323A is used to get theLUN bitmap and if the LUN bit for the frame LUN is set in step S719,then the frame is accepted in step S722, otherwise it is rejected instep S720.

It is noteworthy that the foregoing process is not limited to anyparticular code or bit value. Any value(s) may be designated toimplement the foregoing process steps.

Rejected Frame Disposition:

The frames that are rejected may be disposed by a programmable policy.In one aspect of the present invention, the frame may be disposed asfollows:

Class 3 frames:

Discard frame; or

Send frame to IOP 66

Class 2 frames:

Send frame to IOP 66

Send truncated frame (FC header minus CRC and EOF code) to IOP 66.

Since Class 2 frames acknowledge all data frames, the truncated frame issent to IOP 66 so that a class 2 “F_RJT” primitive can be used toacknowledge the frame. The frame can be truncated to avoid moving theentire frame if the payload is not going to be used.

Statistics Counters/Status Registers:

In one aspect of the present invention, statistics counters 327 includestwo counters for ports using LUN hard zoning:

A first counter counts the number of hard zoning violations that aredetected; and

A second counter counts the number of class 3 frames that are discardedbecause of hard zoning violations.

It is noteworthy that an ALUT 323A entry with control code 506 value of0 and LUN map address 507 value of 0 causes a frame to be tossed (stepS720), regardless of the rejected frame policy. In this case, thestatistic counters 327 are not incremented. This can be used against adenial of service attack (flooding a port with frames, and forcing theport to process them). If detected, an ALUT 323A entry can be programmedto toss the frames, avoiding any further overhead in processing ortransmitting the frames. Status Register 324 bit indicates violationsand tossing of different frame classes.

Modifying SCSI REPORT LUNS Reply Data (Soft LUN Zoning)

SCSI initiators use the “REPORT LUNS” command to discover LUNs on a SCSItarget. If some of the LUNS reported by the reply to REPORT LUNS commandare filtered by LUN hard zoning, attempts by the initiator to accessthese will fail causing errors to be reported. To prevent this, in oneaspect of the present invention, a method is provided to intercept thereply to a REPORT LUNS command, edit the reply to remove unauthorizedLUNs, and then pass it to the initiator.

Alias cache 315 allows frames to be routed depending on multiple fieldsin the header or payload. One of the routing choices is to send theframe to IOP 66 processor. A reply to a REPORT LUNS command isidentified by matching the Fibre Channel header fields S_ID, D_ID, andOX_ID of the reply to the D_ID, S_ID, and OX_ID of the original REPORTLUNS command. To edit the reply, the REPORT LUNS commands areintercepted by IOP 66 to get the fields needed.

In one aspect of the present invention, the following procedure is used:

On all switch ports that receive FCP_CMND REPORTS LUNS commands from aSCSI initiator for the targets where LUN zoning is being applied to,alias cache 315 is set up to route REPORT LUNS commands to IOP 66, forexample if:

-   -   R_CTL=hex 06 (FCP_CMND);    -   Type=hex 08 (SCSI FCP protocol);    -   Payload word 3, most significant byte=hex A0 (REPORTS LUNS        command); and    -   then route to IOP 66.

When a REPORT LUNS command is sent to IOP 66, it checks if thedestination is a target using LUN zoning. If it is, alias cache 315 forthat port is programmed to route the reply frame to IOP 66, for example:

-   -   If R_CTL=hex 01 (FCP_DATA);    -   D_ID=S_ID of REPORTS LUNS command;    -   OX_ID=OX_ID of REPORT LUNS command; and    -   then route to IOP 66; and    -   then the trapped REPORT LUNS command is sent to its destination.

When the reply for REPORT LUNS is sent to IOP 66, IOP 66 removes theLUNs in the payload that are not authorized for the initiator. It thenclears alias cache 315 entries for the reply. The edited REPORT LUNSreply is then sent to the original command initiator.

FIG. 6 shows a flow diagram for the foregoing process for modifying SCSILUN REPORTS. The process starts in step S600 with the first port.

In step S601, alias cache 315 is set to intercept FCP REPORT LUNcommands, so that the commands are routed to IOP 66. For example, if,R_CTL=hex 06

(FCP_CMND); Type=hex 08 (SCSI FCP protocol); and payload word 3, mostsignificant byte=hex A0 (REPORTS LUNS command), then a REPORT LUNcommand is routed to IOP 66.

The process moves to the next port in step S602, until all the ports areset in step S603.

In step S604, the process determines if a REPORT LUN command isreceived. If true, then in step S605, alias cache 315 of the destinationport is set to route the reply to the REPORT LUN command to IOP 66.

If a REPORT LUN command is not received in step S604, then the processdetermines if a reply has been received in step S606. If a reply is notreceived, the process goes back to step S604.

If a reply is received in step S606, then in step S607, unauthorized LUNdata is removed from the reply data and the reply is sent to thedestination. Thereafter, alias cache 315 entry are cleared for repliesand the process moves back to step S604.

Although the present invention has been described with reference tospecific embodiments, these embodiments are illustrative only and notlimiting. Many other applications and embodiments of the presentinvention will be apparent in light of this disclosure and the followingclaims.

1-30. (canceled)
 31. A method for a switch element having a port forreceiving and transmitting network information, comprising: (a)configuring the port for intercepting a reply to a command received froman initiator requesting information regarding a logical unit number(LUN) at a target using LUN zoning; wherein the port intercepts thereply to the command and routes the reply to a processor for the switchelement; (b) editing the reply to the command; wherein the processoredits the reply to delete information regarding any LUN that theinitiator is not authorized to access; and (c) sending the edited replyto the initiator without the deleted unauthorized LUN information instep (b).
 32. The method of claim 31, wherein the command is a REPORTLUN command used for discovering a LUN on a small computer systemsinterface (SCSI) storage device.
 33. The method of claim 31, wherein analias cache for the port is configured to identify the reply to thecommand which is routed to the processor if the target uses LUN zoning.34. The method of claim 33, wherein after the edited reply is sent tothe initiator, the processor clears the alias cache entries associatedwith the reply.
 35. The method of claim 31, wherein the port identifiesthe reply to the command by matching one or more fields in the replywith one or more fields of the command.
 36. The method of claim 31,wherein the port is configured to route the command to the processor.37. The method of claim 36, wherein based on the fields in the command,the processor determines if the target is using LUN zoning andconfigures the port to automatically route the reply to the command tothe processor for editing.
 38. A method for a switch element having aport for receiving and transmitting information, comprising: (a)configuring the port for intercepting a reply to a command received froman initiator requesting information regarding a logical unit number(LUN) at a target using LUN zoning; wherein the port identifies thereply to the command by matching one or more fields in the reply withone or more fields of the command and routes the reply to a processorfor the switch element; and wherein the port also routes the command tothe processor and the processor determines if the target is using LUNzoning and configures the port to automatically route the reply to thecommand to the processor; (b) editing the reply to the command; whereinthe processor edits the reply to delete information regarding any LUNthat the initiator is not authorized to access; and (c) sending theedited reply to the initiator without the deleted unauthorized LUNinformation in step (b).
 39. The method of claim 38, wherein the commandis a REPORT LUN command used for discovering a LUN on a small computersystems interface (SCSI) storage device.
 40. The method of claim 38,wherein an alias cache for the port is configured to identity the replyto the command, which is routed to the processor if the target uses LUNzoning.
 41. The method of claim 40, wherein after the edited reply issent to the initiator, the processor clears the alias cache entriesassociated with the reply.
 42. A switch element tor receiving andtransmitting information, comprising: (a) a port for receiving andtransmitting the information; wherein the port is configured tointercept a reply to a command received from an initiator requestinginformation regarding a logical unit number (LUN) at a target using LUNzoning; wherein after the port intercepts the reply to the command, theport routes the reply to a processor for the switch element; and whereinthe processor edits the reply to delete information regarding any LUNthat the initiator is not authorized to access; and the port sends theedited reply to the initiator without the deleted unauthorized LUNinformation.
 43. The switch element of claim 42, wherein the command isa REPORT LUN command used for discovering a LUN on a small computersystems interface (SCSI) storage device.
 44. The switch element of claim42, wherein the port includes an alias cache that is configured toidentify the reply to the command.
 45. The switch element of claim 44,wherein after the edited reply is sent to the initiator, the processorclears the alias cache entries associated with the reply.
 46. The switchelement of claim 42, wherein the port identifies the reply to thecommand by matching one or more fields in the reply with one or morefields of the command.
 47. The switch element of claim 42, wherein theport routes the command to the processor.
 48. The method of claim 47,wherein based on the fields in the command, the processor determines ifthe target is using LUN zoning and configures the port to automaticallyroute the reply to the command to the processor for editing.